One of the potential business impacts that should be factored into any risk assessment for a data breach of customer information is the possibility of a class action for damages. It’s interesting therefore to note that a federal court in Missouri has recently dismissed a claim against a pharmacy benefits company over a data breach in which millions of customer records were believed to have been illegally accessed.
The plaintiff contended that he and other victims faced an increased risk of becoming the victims of identity theft. The case was dismissed because he failed to prove that his information had been used fraudulently. The plaintiff needed to prove that the injury was “actual or imminent, not conjectural or hypothetical.” That clearly presents a challenge in the shadowy world of cyberspace, where concrete evidence is hard to come by, and frauds are likely to be based on multiple sources of information gathered over time.